<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
    <title>ActionController::RequestForgeryProtection::ClassMethods</title>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <link rel="stylesheet" href="../../../css/reset.css" type="text/css" media="screen" />
<link rel="stylesheet" href="../../../css/main.css" type="text/css" media="screen" />
<link rel="stylesheet" href="../../../css/github.css" type="text/css" media="screen" />
<script src="../../../js/jquery-1.3.2.min.js" type="text/javascript" charset="utf-8"></script>
<script src="../../../js/jquery-effect.js" type="text/javascript" charset="utf-8"></script>
<script src="../../../js/main.js" type="text/javascript" charset="utf-8"></script>
<script src="../../../js/highlight.pack.js" type="text/javascript" charset="utf-8"></script>

</head>

<body>     
    <div class="banner">
        
            <span>Ruby on Rails v4.0.0</span><br />
        
        <h1>
            <span class="type">Module</span> 
            ActionController::RequestForgeryProtection::ClassMethods 
            
        </h1>
        <ul class="files">
            
            <li><a href="../../../files/actionpack/lib/action_controller/metal/request_forgery_protection_rb.html">actionpack/lib/action_controller/metal/request_forgery_protection.rb</a></li>
            
        </ul>
    </div>
    <div id="bodyContent">
        <div id="content">
  


  


  
  


  


  
    <!-- Method ref -->
    <div class="sectiontitle">Methods</div>
    <dl class="methods">
      
        <dt>P</dt>
        <dd>
          <ul>
            
              
              <li>
                <a href="ClassMethods.html#method-i-protect_from_forgery">protect_from_forgery</a>
              </li>
            
          </ul>
        </dd>
      
    </dl>
  

  



  

    

    

    


    


    <!-- Methods -->
        
      <div class="sectiontitle">Instance Public methods</div>
      
        <div class="method">
          <div class="title method-title" id="method-i-protect_from_forgery">
            
              <b>protect_from_forgery</b>(options = {})
            
            <a href="ClassMethods.html#method-i-protect_from_forgery" name="method-i-protect_from_forgery" class="permalink">Link</a>
          </div>
          
          
            <div class="description">
              <p>Turn on request forgery protection. Bear in mind that only non-GET,
HTML/JavaScript requests are checked.</p>

<pre class="ruby"><span class="ruby-keyword">class</span> <span class="ruby-constant">FooController</span> <span class="ruby-operator">&lt;</span> <span class="ruby-constant">ApplicationController</span>
  <span class="ruby-identifier">protect_from_forgery</span> <span class="ruby-identifier">except</span><span class="ruby-operator">:</span> :<span class="ruby-identifier">index</span>
</pre>

<p>You can disable csrf protection on controller-by-controller basis:</p>

<pre>skip_before_action :verify_authenticity_token</pre>

<p>It can also be disabled for specific controller actions:</p>

<pre>skip_before_action :verify_authenticity_token, except: [:create]</pre>

<p>Valid Options:</p>
<ul><li>
<p><code>:only/:except</code> - Passed to the <code>before_action</code> call.
Set which actions are verified.</p>
</li><li>
<p><code>:with</code> - Set the method to handle unverified request.</p>
</li></ul>

<p>Valid unverified request handling methods are:</p>
<ul><li>
<p><code>:exception</code> - Raises ActionController::InvalidAuthenticityToken
exception.</p>
</li><li>
<p><code>:reset_session</code> - Resets the session.</p>
</li><li>
<p><code>:null_session</code> - Provides an empty session during request but
doesn't reset it completely. Used as default if <code>:with</code> option
is not specified.</p>
</li></ul>
            </div>
          
          
          
          
          
            
            <div class="sourcecode">
              
              <p class="source-link">
                Source: 
                <a href="javascript:toggleSource('method-i-protect_from_forgery_source')" id="l_method-i-protect_from_forgery_source">show</a>
                
                  | <a href="https://github.com/rails/rails/blob/c60be72c5243c21303b067c9c5cc398111cf48c8/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L88" target="_blank" class="github_url">on GitHub</a>
                
              </p>
              <div id="method-i-protect_from_forgery_source" class="dyn-source">
                <pre><span class="ruby-comment"># File actionpack/lib/action_controller/metal/request_forgery_protection.rb, line 88</span>
<span class="ruby-keyword">def</span> <span class="ruby-keyword ruby-title">protect_from_forgery</span>(<span class="ruby-identifier">options</span> = {})
  <span class="ruby-keyword">self</span>.<span class="ruby-identifier">forgery_protection_strategy</span> = <span class="ruby-identifier">protection_method_class</span>(<span class="ruby-identifier">options</span>[<span class="ruby-value">:with</span>] <span class="ruby-operator">||</span> <span class="ruby-value">:null_session</span>)
  <span class="ruby-keyword">self</span>.<span class="ruby-identifier">request_forgery_protection_token</span> <span class="ruby-operator">||=</span> <span class="ruby-value">:authenticity_token</span>
  <span class="ruby-identifier">prepend_before_action</span> <span class="ruby-value">:verify_authenticity_token</span>, <span class="ruby-identifier">options</span>
<span class="ruby-keyword">end</span></pre>
              </div>
            </div>
            
          </div>
                    </div>

    </div>
  </body>
</html>    